WannaCash is a malicious ransomware strain that encrypts victim files and demands ransom payment for decryption. First observed in the wild on March 1, 2019, this ransomware has been actively targeting systems worldwide. Security researchers also track this malware under the aliases: WannaCash NextGen, WannaCash 2.0.
Quick Facts
Ransomware Family
WannaCash
First Seen
March 1, 2019
Known Aliases
WannaCash NextGenWannaCash 2.0
How WannaCash Ransomware Works
Targeted Files
https://app.any.run/tasks/e2e71ce6-2b34-4d62-b441-1188cb8d2e39/
https://app.any.run/tasks/d9568274-6cd2-4502-8644-563534807588/
https://app.any.run/tasks/2807f1d7-c499-4347-a4a8-82a46461ad80/
https://app.any.run/tasks/175b00d9-0858-474e-afaf-854ba032e66e/
https://www.hybrid-analysis.com/sample/5d178be58d8588c9b7460343f6c8a6fa8d0fd554df6450ab0beec905052371a0/5dda51f544561379146913db
Packs files to ZIP with password -> Файл зашифрован [core.py] .zip
encrypted(Документ Microsoft Word (2).docx)
File Encryption Patterns
WannaCash modifies encrypted files using specific patterns to mark them as encrypted:
File extensions added after encryption:
..wannacash..punisher..happy new year
Prefixes added to encrypted files:
encrypted(Файл зашифрован
Ransom Note and Payment Demands
After encrypting files, WannaCash displays ransom notes demanding payment for file recovery:
fileкак расшифровать файлы.txt
Ransom message:
notes/как расшифровать файлы.txt
Note locations:
UserFoldersTemp
fileContribution.txt
Ransom message:
notes/Contribution.txt
fileContribution.txt
Technical Indicators
Associated Executable Files
The following executable files are associated with WannaCash ransomware:
Ключи_активации_на_365.exe
Ключи активации на 365.exe
Ключи активации на 365 дней.exe
Ключи активации на 365 дней-2010.exe
dobro
hostsss.exe
eset keys [до 06.06.2020].exe
egui.exe
EGUIS.EXE
Ключи для ESET[all versions] на 365 дней.exe
ESETNOD.exe
egui.exe, eguis_upx.exe
Ключи активации на год_.exe
Elastio Can Help You
Don't let WannaCash ransomware take over your data
Elastio provides advanced ransomware protection and recovery solutions to keep your organization safe.
This WannaCash ransomware analysis is part of Elastio's comprehensive ransomware detection database. Elastio provides advanced ransomware protection and recovery solutions, helping organizations defend against and recover from ransomware attacks like WannaCash.